> AFAIK, most security bugs are never reported to MITRE or Secunia or the
> like. For most "smaller" projects, I would guess that that majority of
> security bugs are fixed in the normal course of development without any
> sort of special advisories, except perhaps in the changelog published by
> upstream.
if it is mentioned at all. Chance is good that projects, which do not
actively announce security issues, won't mention them in the changelogs.
Some people really think that fixing security bugs silently is better
than the "bad" publicity from an announcement.
--
Bernd Zeimetz
<bernd@bzed.de> <http://bzed.de/>